Name Translation Monitoring

1. A method comprising: accessing network traffic; accessing name translation traffic from the network traffic; accessing name information and address information from the name translation traffic; storing the name and address information; accessing subsequent network traffic sent by a device, wherein the network traffic includes address information; determining a match between address information of the subsequent network traffic and the address information of the name translation traffic; associating network traffic from the device with the name information; determining a session classification based on the name information; classifying the device based on the name information; and assigning a security policy to the classified device, wherein the security policy is assigned based on the classification of the device.

2. The method of claim 1 , wherein the name translation traffic is a domain name system (DNS) response and the address information comprises an internet protocol (IP) address.

3. The method of claim 1 , wherein the classifying of the device is based on at least one of a domain name or a subdomain name of the name information.

4. The method of claim 1 , further comprising: determining an indication of compromise (IoC) of the device based on the name information.

5. The method of claim 1 , further comprising: determining an indication of intrusion based on the name information.

6. The method of claim 5 , wherein the indication of intrusion is based on a signature.

7. The method of claim 1 , wherein the name translation traffic is accessed from an intermediate naming device.

8. The method of claim 1 , further comprising: accessing time information from the name translation traffic.

9. A non-transitory computer readable medium having instructions encoded thereon that, when executed by a processing device, cause the processing device to: access a first packet comprising name information and address information; store the name information and address information; monitor network traffic for an address matching the stored address information; determine a match between an address portion of a second packet and the stored address information, wherein a device is the sender of the second packet; and determining a characteristic associated with the device that sent the second packet based on the name information associated with the stored address information, wherein the characteristic associated with the device comprises a classification of the device; wherein the characteristic associated with the device comprises a session classification of the device; and assigning a security policy to the device, wherein the security policy is assigned based on the session classification of the device.

10. The non-transitory computer readable medium of claim 9 , wherein the characteristic associated with the device comprises an indicator of compromise (IoC) of the device.

11. The non-transitory computer readable medium of claim 9 , wherein the characteristic associated with the device comprises an indication of compromise of the device.